Document Details
Normalization Content
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
powershell_heavy
⚠️
windows_tools
⚠️
windows_first
Summary:
The documentation page demonstrates a Windows bias in several ways: many of the analytic rules and hunting queries focus on Windows-specific tools, processes, and attack techniques (e.g., rundll32.exe, PowerShell, Certutil, Exchange PowerShell Snapin, Windows System Shutdown/Reboot). There is a notable emphasis on PowerShell-based attacks and Windows-native binaries (LOLBins), with little to no mention of Linux-specific equivalents or examples. The process activity and hunting queries sections are particularly Windows-centric, and Linux tools, commands, or attack patterns are not represented. This creates an impression that the content is primarily relevant to Windows environments.
Recommendations:
- Add Linux-specific analytic rules and hunting queries, such as detection for common Linux persistence techniques, suspicious use of bash, cron jobs, or systemd services.
- Include examples of Linux-native attack tools (e.g., bash scripts, python reverse shells, netcat, SSH abuse) alongside Windows tools.
- Balance the coverage of Windows and Linux by providing parity in detection rules for both platforms (e.g., detect suspicious sudo usage, unauthorized changes to /etc/passwd, or Linux-specific malware).
- Explicitly mention cross-platform applicability where possible, and clarify if a rule is Windows-only.
- Add hunting queries and analytic rules for Linux process activity, file activity, and network events, not just Windows-centric ones.
Create pull request